X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e8d73e8066b61f7704dc0f6cf200953cdf9a5e60..4b58bfc5b58db18e4816102f9850757f0884a42e:/services/api/test/integration/api_client_authorizations_api_test.rb

diff --git a/services/api/test/integration/api_client_authorizations_api_test.rb b/services/api/test/integration/api_client_authorizations_api_test.rb
index 3a7b201312..1b5c563962 100644
--- a/services/api/test/integration/api_client_authorizations_api_test.rb
+++ b/services/api/test/integration/api_client_authorizations_api_test.rb
@@ -5,6 +5,8 @@
 require 'test_helper'
 
 class ApiClientAuthorizationsApiTest < ActionDispatch::IntegrationTest
+  include DbCurrentTime
+  extend DbCurrentTime
   fixtures :all
 
   test "create system auth" do
@@ -74,95 +76,63 @@ class ApiClientAuthorizationsApiTest < ActionDispatch::IntegrationTest
     assert_response 403
   end
 
-  [nil, Time.now + 2.hours].each do |desired_expiration|
-    test "expires_at gets clamped on non-admins when API.MaxTokenLifetime is set and desired expires_at #{desired_expiration.nil? ? 'is not set' : 'exceeds the limit'}" do
-      Rails.configuration.API.MaxTokenLifetime = 1.hour
+  [nil, db_current_time + 2.hours].each do |desired_expiration|
+    [false, true].each do |admin|
+      test "expires_at gets clamped on #{admin ? 'admins' : 'non-admins'} when API.MaxTokenLifetime is set and desired expires_at #{desired_expiration.nil? ? 'is not set' : 'exceeds the limit'}" do
+        Rails.configuration.API.MaxTokenLifetime = 1.hour
+        token = api_client_authorizations(admin ? :admin_trustedclient : :active_trustedclient).api_token
 
-      # Test token creation
-      start_t = Time.now
-      post "/arvados/v1/api_client_authorizations",
-        params: {
-          :format => :json,
-          :api_client_authorization => {
-            :owner_uuid => users(:active).uuid,
-            :expires_at => desired_expiration,
-          }
-        },
-        headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:active_trustedclient).api_token}"}
-      end_t = Time.now
-      assert_response 200
-      expiration_t = json_response['expires_at'].to_time
-      assert_operator expiration_t.to_f, :>, (start_t + Rails.configuration.API.MaxTokenLifetime).to_f
-      if !desired_expiration.nil?
-        assert_operator expiration_t.to_f, :<, desired_expiration.to_f
-      else
-        assert_operator expiration_t.to_f, :<, (end_t + Rails.configuration.API.MaxTokenLifetime).to_f
-      end
+        # Test token creation
+        start_t = db_current_time
+        post "/arvados/v1/api_client_authorizations",
+             params: {
+               :format => :json,
+               :api_client_authorization => {
+                 :owner_uuid => users(admin ? :admin : :active).uuid,
+                 :expires_at => desired_expiration,
+               }
+             },
+             headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{token}"}
+        assert_response 200
+        expiration_t = json_response['expires_at'].to_time
+        if admin && desired_expiration
+          assert_in_delta desired_expiration.to_f, expiration_t.to_f, 1
+        else
+          assert_in_delta (start_t + Rails.configuration.API.MaxTokenLifetime).to_f, expiration_t.to_f, 2
+        end
 
-      # Test token update
-      previous_expiration = expiration_t
-      token_uuid = json_response["uuid"]
-      start_t = Time.now
-      put "/arvados/v1/api_client_authorizations/#{token_uuid}",
-        params: {
-          :api_client_authorization => {
-            :expires_at => desired_expiration
-          }
-        },
-        headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:active_trustedclient).api_token}"}
-      end_t = Time.now
-      assert_response 200
-      expiration_t = json_response['expires_at'].to_time
-      assert_operator previous_expiration.to_f, :<, expiration_t.to_f
-      assert_operator expiration_t.to_f, :>, (start_t + Rails.configuration.API.MaxTokenLifetime).to_f
-      if !desired_expiration.nil?
-        assert_operator expiration_t.to_f, :<, desired_expiration.to_f
-      else
-        assert_operator expiration_t.to_f, :<, (end_t + Rails.configuration.API.MaxTokenLifetime).to_f
-      end
-    end
-
-    test "expires_at can be set to #{desired_expiration.nil? ? 'nil' : 'exceed the limit'} by admins when API.MaxTokenLifetime is set" do
-      Rails.configuration.API.MaxTokenLifetime = 1.hour
+        # Test token update
+        previous_expiration = expiration_t
+        token_uuid = json_response["uuid"]
 
-      # Test token creation
-      post "/arvados/v1/api_client_authorizations",
-        params: {
-          :format => :json,
-          :api_client_authorization => {
-            :owner_uuid => users(:admin).uuid,
-            :expires_at => desired_expiration,
-          }
-        },
-        headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin_trustedclient).api_token}"}
-      assert_response 200
-      if desired_expiration.nil?
-        assert json_response['expires_at'].nil?
-      else
-        assert_equal json_response['expires_at'].to_time.to_i, desired_expiration.to_i
-      end
-
-      # Test token update (reverse the above behavior)
-      previous_expiration = json_response['expires_at']
-      token_uuid = json_response['uuid']
-      if previous_expiration.nil?
-        desired_updated_expiration = Time.now + Rails.configuration.API.MaxTokenLifetime + 1.hour
-      else
-        desired_updated_expiration = nil
-      end
-      put "/arvados/v1/api_client_authorizations/#{token_uuid}",
-        params: {
-          :api_client_authorization => {
-            :expires_at => desired_updated_expiration,
-          }
-        },
-        headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin_trustedclient).api_token}"}
-      assert_response 200
-      if desired_updated_expiration.nil?
-        assert json_response['expires_at'].nil?
-      else
-        assert_equal json_response['expires_at'].to_time.to_i, desired_updated_expiration.to_i
+        start_t = db_current_time
+        patch "/arvados/v1/api_client_authorizations/#{token_uuid}",
+            params: {
+              :api_client_authorization => {
+                :expires_at => desired_expiration
+              }
+            },
+            headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{token}"}
+        assert_response 200
+        expiration_t = json_response['expires_at'].to_time
+        if admin && desired_expiration
+          assert_in_delta desired_expiration.to_f, expiration_t.to_f, 1
+        else
+          assert_in_delta (start_t + Rails.configuration.API.MaxTokenLifetime).to_f, expiration_t.to_f, 2
+        end
       end
     end
   end
+
+  test "get current token using salted token" do
+    salted = salt_token(fixture: :active, remote: 'abcde')
+    get('/arvados/v1/api_client_authorizations/current',
+        params: {remote: 'abcde'},
+        headers: {'HTTP_AUTHORIZATION' => "Bearer #{salted}"})
+    assert_response :success
+    assert_equal(json_response['uuid'], api_client_authorizations(:active).uuid)
+    assert_equal(json_response['scopes'], ['all'])
+    assert_not_nil(json_response['expires_at'])
+    assert_nil(json_response['api_token'])
+  end
 end